2 Office of the Saskatchewan Information and Privacy Commissioner. Guide to Faxing: Preventing Breaches with Safeguards and Responding to a Privacy Breach. 5 Feb. 2026. In Saskatchewan, government institutions, local authorities (public bodies) and trustees have a legislated duty to protect personal information (PI) and personal health information (PHI) through The Freedom of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) and The Health Information Protection Act (HIPA). This guide offers a list of necessary safeguards to have in place when faxing PI/PHI, what to do when a misdirected fax is sent or received, and what to expect in an investigation by the Office of the Saskatchewan Information and Privacy Commissioner (OIPC). Privacy breaches by fax occur for a variety of reasons, including user error or failure to update systems. Privacy breaches of this nature, however, are preventable. As such, steps should be taken to prevent a privacy breach from occurring in the first place, including providing ongoing education to staff, and exploring alternative methods of transmitting PI/PHI such as using encrypted file sharing or other secure, electronic methods.1 This guide also offers a checklist for public bodies and trustees to refer to when a misdirected fax is received or sent. What is a Misdirected Fax? A misdirected fax is a fax containing PI/PHI that is received by an unintended recipient without the requisite need-to-know. A misdirected fax results in a privacy breach. Misdirected faxes often occur for the following reasons:2 • Human error – Entering fax numbers incorrectly, relying on auto-suggest functions that bring up the wrong number or searching for the number on the Internet without verifying if the site and number chosen are correct. This can result in sending PI/PHI to the wrong number and being received by an unintended recipient. • Lack of control over who is at the receiving end - Even if sending a fax to the correct number, if the receiving end does not have proper safeguards, PI/PHI can be viewed by an unintended recipient. For example, the faxed information may be left unattended, or the fax machine may be in a location where multiple people have access to it, someone without the need-to-know could access. 1 Northwest Territories Information and Privacy Commissioner Review Recommendation 10-091 at paragraph at page 3. 2 OIPC Investigation Report 032-2022 at paragraphs [36] to [39] discussed several ways or reasons that misdirected faxes occurred that came to the attention of OPIC.
RkJQdWJsaXNoZXIy MTgwMjYzOA==